Hacker News new | past | comments | ask | show | jobs | submit login
Facebook Says Hackers Stole Detailed Personal Data from 14M People (bloomberg.com)
616 points by aportnoy on Oct 12, 2018 | hide | past | favorite | 207 comments

Facebook posting: https://newsroom.fb.com/news/2018/10/update-on-security-issu...

Check if you are affected here: https://www.facebook.com/help/securitynotice

(posting because it took 10+ mins to find it - many media outlets are not linking directly to it)

Here's the discussion on the Facebook post: https://news.ycombinator.com/item?id=18202589.

How do I check if I've deleted Facebook?

Does deleting Facebook mean I no longer have a right to know if my data was breached while I was a member?

What if I never signed up. I am sure they know about me. Wonder if there is a way to request that information from them...

Yes they do, it's called a shadow profile[1].

If you're in Europe you might have some some recourse (GDPR and such), but if you're from the US you are most likely out of luck.

Regardless, Facebook might have a detailed profile on you but not know your name. I doubt there is much you can do.

[1]: https://theconversation.com/shadow-profiles-facebook-knows-a...

On the other hand, there's no way to log into a shadow profile, and shadow profile information is never displayed to any logged in user, so you're safe against this particular exploit.

If any of your other apps are connected to fb then all your info was likely granted to fb as well .

FB should timestamp these articles. It happened a couple of weeks ago, or is this new news?

Everybody should timestamp all articles.

People don't want to because they want their content to be "evergreen" and they think that if there's a date that's more than a year or so old, people will disregard / discount the content. So by default many blog CMSs default to not showing the date of any articles.

Facebook is not a small blog operator. They should view this as a professional communications medium.

Someone in Facebook's PR department is reading this part of the thread and saying "it's working!"

If your content is "evergreen", show me a "last updated" timestamp in the last year.


published timestamps. another vestige of the earlier blog web.

You can thank SEO for that. Something about older content being less "relevant"

This is new, particularly the details around search history and location data being stolen, as of an hour ago.

I think it's the security incident that happened couple of weeks ago and they have more details now?

The first article has the date at the top: "October 12, 2018".

They might intend to repeatedly update the second one, which might be a reason not to put a published date on it.

I forget what the text looks like in your second link when you're not logged in but after I logged in the verification text appears as follows:

""" Is my Facebook account impacted by this security issue? Based on what we've learned so far, your Facebook account has not been impacted by this security incident. If we find more Facebook accounts were impacted, we will reset their access tokens and notify those accounts. """

I'm curious did they reset everyone's tokens? I remember the day when I was meeting friends for dinner and all or just got logged out of fb at the same time.

I get the same message that I'm not likely impacted

Same, I think, I commented to my wife something like "that's worrying I've been logged out, sometimes that means your account is compromised", but I get the "you're not affected" message too.

IIRC that was on Facebook Lite on Android. I don't know my password so didn't log in at the time, but it just worked the next time I tried.

Might be unrelated.

I see the same thing. Wonder if anyone was informed that actually had been affected.

I have been affected, quoting text:

Is my Facebook account impacted by this security issue?

Yes. Based on what we've learned so far in our investigation, attackers accessed the following Facebook account information:

    Email addresses.
    Phone number.
Based on what we've learned so far in our investigation, the attackers did not gain access to certain information, such as:

    Account passwords.
    Payment card or credit card information.

Mine continues:

Additionally, the attackers also accessed other account information, including:

- The following information associated with your Facebook account:

    - Username.
    - Date of birth.
    - Gender.

 - Types of the devices you've used to access Facebook.
 - The language you choose to use Facebook in.

 - If you previously added this specific information to your Facebook account, it was also accessed:

    - Relationship status.
    - Religion.
    - Hometown.
    - Current city.
    - Work.
    - Education.
    - Website.

 - The 10 most recent locations you've checked in to or been tagged in. These locations are determined by the places named in the posts, such as a landmark or restaurant, not location data from a device.

 - The 15 most recent searches you've entered into the Facebook search bar.

 - People or Pages you follow on Facebook.

Had the same list as you, I was just happy it did not mention Messenger since that would be accessing truly private data.

The data you listed is semi-public in my case.

There's lots of "verification" data there, and lots of info to make convincing phishing attempts. That's serious juju.

Like if I say "I'm calling from Samsung about your SMA500FU, phone number #####, ..." that gives me a lot of trust for a phish.

I wonder, say, how many phones I could get by mailing people an envelope saying their phone was at risk of exploding, sending corresponding texts, etc..

I also got an alert in my feed. I stopped using Facebook 2 years ago... I didnt delete my account. But this incident highlights the latent risk our data poses across hundreds of websites...

Is my Facebook account impacted by this security issue?

Yes. Based on what we've learned so far in our investigation, attackers accessed the following Facebook account information:

  Email addresses.
  Phone number.
Based on what we've learned so far in our investigation, the attackers did not gain access to certain information, such as:

  Account passwords.
  Payment card or credit card information.

They should not require you to log in to their site to look up whether they have victimized you. I used to have a FB account but threw the random password away. Was I affected? No way to know?

Not to mention those of us with deleted Facebook accounts. It looks like I’m not affected but to anyone who had an account during those dates and deleted it since, how do they find out?

Yet another reason they should email affected users, guess they care more about not publicizing bad information than taking responsibility.

They explicitly state they will email impacted users.

Does a user with a deleted account qualify as an impacted user? I think the visibility is an issue.

As one of those people, this summer I encountered a spotify issue where my spotify would randomly start playing Cannabis Club ATL. Others had the same issue. Perhaps unrelated, too difficult to tell, especially if FB doesn't consider me an active user.

Does a user with a deleted account qualify as an impacted user?

If they still store some user details (which it seems they do) and then this leaks - absolutely.

What about those who have never been users yet Facebook stores plenty of information about?

Does that mean they are still storing my email address? I deleted my account 2 years ago.

I don't know? I don't see you would be impacted without an account.

I guess they may be concerned with unauthenticated users checking if others are compromised.

Likewise. They should send a notification to all e-mails on record for compromised accounts.

It's such bullshit that they put the info into a card that disappears street the first time you read it.

Thx for the check-link :)

I understand in general that only "pure" facebook users were impacted and that "WhatsApp" users aren't?

(not sure how integrated WhatsApp is with the Facebook infrastructure - I do use WhatsApp but I don't have a Facebook account)

the best way to keep your passwords secure is the old fashioned way. Write them down and put them in a lock box. I only access my financial information from one computer. Perhaps I am paranoid.

True but not relevant at all to the current discussion.

I'm one of the unlucky 400,000 who had the most information stolen. Complete notification:

    Is my Facebook account impacted by this security issue?

    Yes. Based on what we've learned so far in our investigation, attackers accessed the following Facebook account information:

      * Name.
      * Primary email address.
      * Most recently added phone number.
    Additionally, the attackers also accessed other account information, including:

      * The following information associated with your Facebook account:
        * Username.
        * Date of birth.
        * Gender.
        * Types of the devices you've used to access Facebook.
        * The language you choose to use Facebook in.
      * If you previously added this specific information to your Facebook account, it was also accessed:
        * Relationship status.
        * Religion.
        * Hometown.
        * Current city.
        * Work.
        * Education.
        * Website.
      * The 10 most recent locations you've checked in to or been tagged in. These locations are determined by the places named in the posts, such as a landmark or restaurant, not location data from a device.
      * The 15 most recent searches you've entered into the Facebook search bar.
      * People or Pages you follow on Facebook.

    A small subset of Facebook accounts, including yours, had additional Facebook information made available to the attackers. Learn more about how this information was made available. This is specifically information that appears when viewing your own profile and includes additional information, such as:

      * Posts from your timeline.
      * Your Friends list.
      * Messenger conversation names, but not their contents.
      * If you are a Page admin, you may have also had messages to your Page made available to the attackers.
      * Groups you're a member of.

    Based on what we've learned so far in our investigation, the attackers did not gain access to certain information, such as:

      * Account passwords.
      * Payment card or credit card information.

> If you are a Page admin, you may have also had messages to your Page made available to the attackers.

That seems to stand out to me as a bit of an outlier. Depending on the kind of page that an affected individual operates, that could be pretty big.

> The 15 most recent searches you've entered into the Facebook search bar.

I can see how the attacker can use this to blackmail somebody.

I don't. Can you provide an example or two?

"single female friends who live in <town you just visited>" while you are married, for example?

I’m curious do you post random stuff on FB or do you do a lot of political activism? I’m curious if these are random or targeted? Also how many FB friends do you have?

All companies that deal with personal data should be required to display a list similar to the above as a warning: "In case of a security breach, your personal information will be made available, including but not limited to: ..."

The warning should be displayed during registration and then repeated monthly as a reminder.

This is why I hate not having custom security questions from Banks. What is my fathers middle name? Well, if you have facebook and he puts it up there you can find out. I have no control over that.

I could start using fake answers but trying to remember the fake answers vs real answers is tough. Whereas when I get a custom question I have a custom answer that I will always remember. Such as made up on the spot Name of the babysitter with curly finger nails. I remember that and no one can figure it out based on the internet.

I use KeePass for password management and the way I handle this is I generate a random string for each security question answer, then just include it in the Notes field of the entry.

People are social engineering a random string when talking to customer care. The attacker says “Ah, a bunch of random characters, do I have to say it?” or even worse I have had a customer service rep look at it, laugh and say never mind.

I use “batteryhorsestaple” type of passwords stored in a password manager for the security questions. Those are easy to say over the phone and more resistant to social engineering.

1password actually supports password generation of the 'correct horse battery staple' variety, bypassing this issue entirely.

when will 1password be hacked? genuine question. is that a worry or is there something about the implementation that makes that not a worry?

When LastPass was hacked, the way they stored data helped protect users: https://blog.lastpass.com/2015/06/lastpass-security-notice.h...

It's funny that in a topic complaining about a company who spies on it's users someone brings up Last Pass which says right in it'a TOS they spy on all your browser traffic and share that info with marketing partners


it basically says they collect everything possible to collect and will use it for anything they want including sharing with 3rd parties

So that's why they want me to change my password (I've had the same one since pre-acquisition days.)

Security Answer: HelpAnImposterIsTryingToHackMe

>The attacker says “Ah, a bunch of random characters, do I have to say it?

The vast majority of users aren't using random characters, so how would they know to say that to begin with? Are you implying they try that line, idk, 10,000 times until it (maybe) works?

Nah, it would go like this:

Support: what is your fathers middle name?

Hacker: Michael

Support: sorry that is wrong

Hacker: oh shoot, I forget I always put the incorrect information in this one... i can't remember, did I put a fake name or random characters? Or was this the one I put a bunch of words into?

Support: yeah, it looks like random characters... let's move on

Proper training, required. That person presumably is legally liable as they've breeched the providers security by giving information; and maybe given away PII.

This is the point of failure. This never comes to fruition.

"Computers are hard, and I'm just not very good with them!"

one idea:

attacker accesses recovery answers for site A. Sees that it is random characters. Attacker has access to site A.

Attacker phones sites B,C,D and E, trys social engineering. Attacker now has access to site B,C,D,E also.

How about "donotgiveoutoverthephone"?

I like the idea of doing this plus the random characters.

"identity theft high risk 2fZMbjL1lLZgnS8La"

Good point. Looking at my database it seems that most of the time I just choose fake answers, and sometimes use words that don't relate to the question (e.g., "Favorite food: Manchester").

I used to use real answers but then wised up and switched to random 16-character responses. I wish there was a way to find out which services I’m vulnerable on due to my stupidly using real data, without attempting to do a password reset on all of my online accounts.

> wised up and switched to random 16-character responses

As an earlier comment pointed out [1], random responses to security questions are a bad idea. I've personally tested this by entering a random security answer, calling the service, saying I forgot my password and entered gibberish as my security answer, and being let through. I presume technically-savvy people think this is more secure; if I can guess that, an attacker can too.

[1] https://news.ycombinator.com/item?id=18203907

I’d love to know which businesses have such an asinine policy. Name and shame! They are basically allowing a password reset with zero authentication.

Company policy wouldn't matter as much as just getting the wrong customer service rep that is trying to be a bit too "helpful".

In social engineering, it is common to call back multiple times looking for a gullible customer service rep. Even using a recording of a crying baby in the background to Garner sympathy is something I've seen done.

Any business large enough to have call centre like operations - and the cost-centre mindset that goes along - where people are underpaid and pressured to take as many calls as they can?

Naming and shaming of sufficient magnitude would put pressure to select for more strict customer service representatives. If they could get fired for doing that, they would think twice.

I think a better idea, due to the issues pointed out by others, is to use valid sounding answers but not real answers. So if your mother's maiden name is Smith, don't put f4jjedglkej. Put something like "Anderson" and then store that answer in your password manager. This is what I do in order to avoid potential social engineering or employees that are simply confused by a gibberish answer.

You can get a fair amount of entropy out of names, and there are often multiple name type questions (somebody's maiden, friend's nickname, favorite teacher). Luckily it's hard to hammer customer service reps with repeated attempts, at least until the AI for voice personal assistants get a little better.

Of course, if the customer service rep can see the plaintext, it's not particularly secure is it?

I don't understand what this buys you. If you have access to your password vault, why do you need the security questions? If you lose access to the vault, don't you lose the account?

The problem is that when someone claims to be you and says they've lost your password, the security questions are sometimes the only thing preventing the customer service rep from letting them bypass the password entirely.

These questions are often required to be answered and some places, like vanguard, use them as a form of 2fa. Additionally, it's possible for the bank to reset passwords for some reason (hack, error, etc) and still keep these around. The point is no longer account recovery, that's correct, but it does buy you a lot of things.

I use 1Password but it's not fool proof. I did fake answers for a business account then promptly forgot about it and locked myself out of the account a few months later. But yes, this is the best way to do it by far.

I do exactly the same.

Big pain the few times I've had to read over the phone a giant randomized string, but the phone reps always seem to think it's funny.

Use a Gasser password generator, like the one in Multics[1], to make password that are easier to pronounce, but still long and complex enough to offer some value as security challenge answers.

You can read 'mettlograter' or 'donetrapalyn' over the phone as easily as you can type them, and they're much better than '/1a!P:l3', which has approximately the same complexity.

[1] https://multicians.org/thvv/gpw-js.html

For security questions, to avoid social engineering, you are better off using real, but incorrect answers and saving those. So for favorite food, put brocolli instead of your actual favorite food and rather than nonsensical answers.

Security questions are IMO an awful form of account recovery, as they often use publicly available data about yourself. It's basically downgrading the security of the account more often than not.

If there are no custom security question, I use my password manager to store them and put random answers not tied to myself personally.

But you can give that answer to any question they ask. That's what fake answers are all about.

It depends, in the cases that they ask you for the answer you have control, but sometimes security question like things will just end up being personal data queries like "To what address did we send account statements in June of 2016" and if a bank (or whatever) asks questions like that to confirm identity over the phone there's no way you can compel them to do otherwise, short of taking your business elsewhere. Techniques like asking them to add a note to your account or flag it as locked... those only work if the CS people read and obey them, often times social engineering attempts will re-dail CS lines until they find someone who is tired or generally sloppy and get them to push the change through.

Fixed security questions just seem like a flawed idea anyway. When creating an account to access a significant financial service online recently, I was given a list of some 20 security questions and asked to choose 3. The problem was that 18 of them didn't apply to me or had no clear answer of the kind that I would certainly remember in the event that those questions were actually needed to prove my identity. These things are probably second only to using SMS-based 2FA for annoying security measures of questionable effectiveness being mandated by ever more services (though the new voiceprint-based 2FA is closing fast).

The hackers stole session tokens. It's not about passwords and security (well it is, but not on the user level), it's about better securing access to certain data.

Security questions are DUMB. They are the exactly same authentication mechanism as password (i.e. proving you know some piece of information). So you basically have multiple backup password in case you forgot the first one. But worse.

If you create a different password for them. Because you rarely use those answer, you won't be able to remember them when they are actually needed. If you generate them with your password manager, then when you loss your password you loss them too. If you actually answer the questions with real information, you basically created a weak password.

All in all, security questions is a terrible idea.

In my password manager, I save nonsensical answers (not a string of random characters) to built-in questions.

Wait, wait, was your high school mascot the leprous gummywormbat too?

PSA: Woah.wait. I just thought since personal data of about ~30 million people was leaked, most of them would be having Gmail accounts. So, isn't Gmail under threat too? I think GOOGLE should also issue an advisory asking people to change their security questions. Did I miss something?

Google has been actively trying to get people to stop using security questions in favour of various kinds of two-factor for quite some time now (mainly mobile phone number based stuff). They'll be fine.

I know, but many still might be using these questions right?

Or just don't use facebook.

How is this relevant? Hackers can steal recovery question answers regardless of whether web token vulnerabilities exist. And web token vulnerabilities can exist regardless of recovery question strategies.

As a kid with a newspaper round I set up a bank account and didn’t know what it meant when I was asked for my mother’s maiden name, so made up an answer. Accidental security. It is a hard problem.

What? No! Custom security questions result in stuff like:

“Am I blonde?”

“What’s my shoe size?”

“How old am I?”

“Do I have a dog?”

And of course, the answers to those are incredibly easy to guess / enumerate.

It's possibly even worse than that.

I read a comment on HN that they decided to use a random word like "banana" as the answer to a security question like "What's your mother's maiden name?" Within a couple of days, the bank called his house and spoke with a different relative to get the real answer.

I use random strings of length 32 for every security question. So it's like

Q: What's the name of your first pet?

A: pVp5TxN7htNC3B3Tae3RaPLndpLj5LeV

Logged in today and found:

"[name], we have more information about the security incident we discovered on September 25, 2018. An unauthorized third party accessed your name, email address and phone number. We acted quickly to secure the site and took action to protect your account, and we're working closely with law enforcement to address the incident."


Why is that ridiculous?

Here are the facts:

1. A software company had a security incident.

2. They urgently resolved the issue.

3. They looked into who was impacted, and sent customized notifications letting people know how they were impacted.

None of this behavior is ridiculous. It's quite responsible. What would you expect to happen differently?

Well, let's see. A feature used to view profile information had a vulnerability that allowed an attacker to get my phone number. My phone number isn't even listed on my profile.

This means the credentials from the original implementation of said feature weren't locked down to only data available from your viewable profile.

While my phone number may be available elsewhere outside of FB, I only have it tied to my account as a password reset contact.

> This means the credentials from the original implementation of said feature weren't locked down to only data available from your viewable profile.

Yeah, that's the entire security incident. So are you saying you expect software companies to never have security incidents? Now that's ridiculous.

Why is that ridiculous?

It's only possible with a very different set of tradeoffs around risk and innovation than are the norm in software. It takes NASA-grade layers of slow development processes to be 100% certain that there will never be any incidents.

Most companies, most developers, and most consumers would not be happy with the cost and speed this would result in.

In short: it's not that it's impossible. We know how to do it. It just comes with a cost attached that nobody wants to pay.

And let's keep in mind how successful NASA safety policies actually were.

Perfect safety is a pipe dream.

I mean, I'm not aware of any software security incidents involving the Apollo or Shuttle systems, so the system seems to work that far.

Let me ask you this: Have you done any programming yourself?

Facebook has some of the best information security researchers, takes bug bounty seriously, and they have got very low hacks compared to the effort hackers put to hack it.

The vulnerability allowed the attacker to obtain an access token for your site. So with that access token, they presumably had full access to everything as if they were you. Hence their ability to get a phone number not listed.

I'm not sure if the web interface uses those same access tokens, but the mobile app probably does. So they were probably able to access everything using unpublished API endpoints that the mobile app would normally use.

Right, I get that. I just think, or would hope, rather, that access tokens are locked down appropriately or never "over-granted" access to unnecessary data. In this case, my phone number which isn't on my profile.

If that means different API tokens for different services, then maybe that's a better way to do it. I'm not Facebook, though.

> name, email address and phone number

I kind of work on the assumption that those things are largely public. I mean, phone books were a thing for a very long time. Don't get me wrong, leak bad, very bad, but they didn't leak my bank accounts or a list of my worst fears.

Did you read the article?

"For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles. This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches. "

The attackers accessed different info for different groups of people.

FYI people will downvote you for suggesting someone hasn't read the post. (And I don't think it was necessary to make your point.)

HN guidelines:


>Please don't insinuate that someone hasn't read an article.

Hm, that's a bit of a silly rule. This isn't the best example, but there are certainly instances where someone is arguing from a point of complete ignorance about details in the article. Even the rule's preferred example of "The article mentions that." still seems to me to insinuate someone hasn't read the article.

I think it is just more polite to cite the article than make an accusation. There is no real benefit in accusing someone of not reading the article. This seems like a case of fostering civil discussion without losing any clarity. Since "you must not have read the article." or "did you even read the article?" adds nothing to the discussion.

People have pride. publicly claiming they messed up is a direct challenge , and it will hurt that pride. regardless of whether or not they did. When you hurt that pride, conversations go sour. And, in all fairness, do we expect someone to say “well, gosh, you’re right; I did indeed mess up. Sorry!” You can probably imagine that’s not how people work.

It’s a rule because of the effect it has on the conversation that follows, not because it is Just or Unjust. In that sense, HN is not like a court. As much as people, at times, seem to think it is :p

On top of people wanting privacy about that stuff, there’s also probably enough there to get through a lot of “password recovery questions”, for sites that have those. Especially if they can get similar info about your family (through the same FB breach).

Too often an email address plus correct answers to questions like “what’s your mother’s birthplace?”, “what’s your fathers middle name?”, “what’s your favourite hockey team” are used to prove identity online, and these types of questions could be very answerable from this breach.

Can you have that information entered into Facebook without then showing to anyone but yourself? If so, why would you have the info in there? If not, and as is common, you allow friends to see it, then that information is basically public anyway unless you are very, very selective in who you accept as a friend.

Even when being selective, there is no identity verification, so it is common for spammers or data collectors to simply make an account using the name and profile pic of any of your friends and requesting to be your friend.

yes facebook forces you to put in phone number for example, for "backup authentication" "verification" purposes, and if you don't want to show that to your friends or the public you must set it to private. The default is something like "show to all friends"

There are many preferences in facebook that are like that - unavoidable/impassible fields that ask for info, and then you set it to "private/only yourself" to prevent information leakage, but are set default to world or friend visible.

It's a dark pattern that's all over facebook - you will see it if you install the facebook mobile apps - you can't proceed to surf your timeline without clicking through and answering questions sometimes - best thing is to fill in blank/gibberish info, but sometimes phone numbers, etc can't be avoided.

If a business model of a company is based on monetizing user data, it seems only fair that in cases like this flow of the money is reversed - from Facebook to users.

Otherwise it seems that big tech has limited risk and huge upside.

edit: 40acres put it more eloquently - Regulation is coming. If data is the new oil these are the oil spills that lead to the EPA.

Got the same message. So what's the recommended thing to do. Rotate all your passwords and security questions?

I guess in this case, - rotate all your names, phone numbers, and addresses. :(

In all earnestness, Facebook would have required password reset if it were needed.

If you were I've of the unlucky ones then check your security data at banks and any other place that has financial info, or ability to spend money (Amazon, etc.).

More important is perhaps to warn less savvy people to be vigilant about phishing attempts.


Should it not be "Hackers Stole Detailed Personal Data of 14 Million People from Facebook" ?

Exactly this. Please forgive me reposting an old comment[0]:

This sort of victim blaming is all too common in the mainstream press:

IRS Says More Taxpayers May Have Been Hacked http://time.com/4000659/irs-taxpayer-hacked-cybercrime/

It wasn't the taxpayers that were hacked - it was the IRS.

Hackers stole personal information from 104,000 taxpayers, IRS says https://www.washingtonpost.com/news/federal-eye/wp/2015/05/2...

Hackers did not steal personal information from 104,000 taxpayers - they stole it from the IRS.

Smaller media outlets often get it right:

Over 700,000 People Got Screwed in Last Year's IRS Data Breach http://gizmodo.com/over-700-000-people-got-screwed-in-last-y...

[0] https://news.ycombinator.com/item?id=13681544

I guess directly mentioning the user makes it sounds more personal, and click-worthy

Exactly. If it’s “hackers stole my data from [insert company here]” then it should really be my data. In which case, I want those companies to either delete it or pay me for it.

If I type my full name on google, I can find my home and cell phone number, age, all family members, home address, my last home address, and my google + (fb and LinkedIn I changed settings so not searchable).

And it’s a pain to ask them to delete the info. It’s obscure and time consuming and no guarantees. That in my mind is worse than anything here. I didn’t allow that info to be public, we need more privacy laws.

1. The problem isn't Google. It's those companies that make your details available on internet.

2. Your personal data is already collected meticulously by companies like Acxiom and Equifax for anyone who is ready to pay. You would be amazed how much information they have on you already. What are you going to do about it?

Sounds like a startup opportunity. For only $5, we'll file take down notices left and right for all the info that is available online about you.

already multiple players in this space but last time I checked none were very reputable or well reviewed so hey still an opportunity.

I think you'll be burning through a lot of VC money to pay anybody to do it for five bucks, hell, why not Fiverr?

Use the block chain to track it ??? Profit

Right to be forgotten

Interesting trend I'm noticing with Facebook data controversies: 3rd parties are exploiting Facebooks connectedness to exponentially scale the # of accounts targeted by an attack.

Both Cambridge Analytica and these hackers were able to launch a successful attack on a relatively small number of accounts and through Facebook's graph like network were able to leverage the initial attack to affect more people.

Social networks mirror real life networks; they can be attacked with virus like tendencies.

Regulation is coming. If data is the new oil these are the oil spills that lead to the EPA.

Spot on. Another comment here sounds like it may be suggesting mandatory bounties -- at first glance that sounds very bad for small players, but some thresholds and/or percentages of revenue make the concept more palatable. The users themselves should be able to receive some kind of equitable relief too, but it's difficult when a single user's data is worth <$100 yet the cost to the user is potentially a much larger sum.

Regardless, I completely agree - that's almost surely where this is headed.

The current administration is actively dismantling the EPA, so I'm not sure this is the best analogy.

There's no real appetite for regulation of commercial data use in the US on either end of the political spectrum. And this is a good thing, because GDPR-style regulation would do nothing but further entrench the big players and crowd out innovation.

If Facebook could go back in time and choose between:

a) Paying out a $1m USD bug bounty, or

b) Accepting the reputational hit from a successful exploit

I wonder which they would choose with perfect hindsight?

Facebook runs a great bug bounty program, but given Facebook's size, data footprint, and profitability, perhaps it's worth increasing the rewards.

Perhaps any vulnerability reported that can lead to the compromise of user data at a scale should be automatically paid out $1M.

Are you suggesting requiring this by law?

If facebook offered a single $1m bug bounty, it would have likely gone to some other vulnerability besides this.

I would guess facebook gets a fair number of bug bounty reports of equal or greater severity than this one. Also in the past on HN when people argue that the payout of a bug bounty is too low, there have been comments saying web vulnerabilities are pretty much worthless on the black market.




Title says 14M people but Facebook's notice says this:

>We have now determined that attackers used access tokens to gain unauthorized access to account information from approximately 30 million Facebook accounts.

They got 30 million users' access tokens. They didn't do anything with 1 million of them but grabbed contact info from 29 million people and additional profile info from 14 million of them, according to Facebook.

So: “We collected detailed personal data on 14M people, much of it not directly given to us by those people. This created an enticing target for data thieves. Despite our obscene profits from data, we disproportionately reinvested in protection of this sensitive information. Since we lacked security and have a unique ability to hold more data in one place than anyone else, thieves got more of your data than they could have dreamed of.”

Did I miss anything?

So they've just participated in Facebook's exact business model, just never paid for the data. Anything really concerning here?

So much this!! Facebook's mad they didn't makes any cash off it.


Facebook is just pissed that a marketing or analytics company didn't pay them.

When will we start prosecuting these companies for letting user data getting hacked? If you cannot protect user data, you have no business dealing with them. At the very least, there should be monetary compensation.

We’ve accepted their terms on signup...

I guess I don't really understand the frustration of some people. I do but I don't. I don't have a facebook account, or instagram, or any social media, haven't had one in many years. No one NEEDS to have one. I guess to me, if you don't want this info to be exposed, just don't have an account. Assume the worst can happen. This is not like other sites, I get that you're "trusting" them with your info, but you are willingly putting your information there, just don't.

but you are willingly putting your information there, just don't

I know you're the Area Man Constantly Mentioning He Doesn't Own a TV[1], but...

Facebook probably has a profile on you containing personally identifiable information. If literally anyone who has ever had your phone number or email address also had a Facebook account, and gave Facebook access to their contacts, that's the ballgame. So maybe be a little less sanctimonious about telling others not to give away their data, because I'd bet all the money in my wallet Facebook has data on you.

[1] https://www.theonion.com/area-man-constantly-mentioning-he-d...

You forget that you don't need to have a Facebook account for Facebook to create a profile for you. You just have to exist.

The same is true for many other social networks.

So while you're posting about being all smug and happy that you never signed up for one of these services, your personal data is still in their servers, ready to be exploited by both the company and hackers.

Oh yes I understand that very much, but I do what I can not to help them. The point I was making is about people who willingly put all of their info there, photos, addresses, location etc.

"No one NEEDS to have one. "

So what? That doesn't change a single thing. All you are doing with this line of thinking is blaming the victim. The fault here is Facebook's and the attacker's. No one else's.

A downside to having deleted my facebook account before this security breach was reported is that I cannot find out if my data was compromised.

The multi-billion dollar question is still... how many of them were EU citizens?

Why? Do you think they didn't report this breach to a supervisory authority? Even though they made it public?

That is not the only thing you can get fined for under GDPR.

I’m fairly knowledgeable in the GDPR and I’m legitimately curious what you think the fine basis would be related to this breach.

A few things made me wonder

1) https://news.ycombinator.com/item?id=18203002

This comment suggests that they discovered the vulnerability and spent two days working out how to fix it, whilst leaving the site live for exploitation.

2) Did they report the breach in a timely manner. That is not clear to me yet

3) Until a detailed analysis is done we don't know if there was anything negligent about this.

4) If in other investigations into Facebook it is found that Facebook were storing data they had no right to, and it transpired that they had lost some in this attack, they would be culpable because they shouldn't have had the data to lose.

So nothing specific, but lots of maybees

We don’t have a lot of case law to go on but generally speaking most experts assume article 33 will be the easiest part of gdpr to conform to.

Even under the most harsh interpretations 3 days is the standard & that comes with all kinds of outs.

To the rest of your other points they largely are not at all covered by GDPR.

For instance I’ve never seen an interpretation of the GDPR that required a timeframe for remediation.

Further there is no requirement to allow a supervisory authority investigatory power after a breach.

In any case this appears to be a Facebook acting with extreme transparency. Exactly what the regulators want. It would be weird if this lead to negative ramifications.

As with any breach it is always interesting to see how the scope gets broadened day by day. Tomorrow there might be some headline like "Hackers actually took all of your location data, a timestamp of every breath you took in the last week, and 4K video of everything you looked at through your eyes for the last ten years."

And of course they make sure that the bad news comes out on a Friday. FB has the all the credibility of a greasy politician at this point.

Never been a member, but I do receive regular notification emails from a Fb account/person I don't know, and an account I've never had anything to do with.

Yesterday after news of stolen data emerges, I received a "Facebook password reset" email sent to my gmail address. I ignore all and filter as spam, but sometimes I see them. The email headers do show the source is facebook.

Seems like Facebook allows new account sign up from unverified email addresses. That's a flaw in their policy against spam and abuse, making these hacking events worse when they happen. They need to use activation codes in the email used to sign up with.

Hey it's election season. Time to refresh DB. /s

I still think that facebook can be tremendously useful, even if I unfollowed everyone and have zero posts (mostly to see events, access facebook-homepages, let people find my email address or just occasionally tell someone to send me an email instead of writing on messenger) - but heck, this latest breach is a bit too much to swallow.

That's one of the numerous reasons I'll never use fb as a payment or ecommerce platform when they launch these products.

I doubt other payment or ecommerce platforms are any more secure. Given its size, I assume Facebook has a lot of smart people working on security. And they still screw it up. How are smaller platforms, who can't attract or pay for the very best talent, going to do any better (other than by being smaller targets, I guess)?

> I assume Facebook has a lot of smart people working on security.

I am not willing to roll the dice on that assumption.

I am. I know a bunch of them personally. They are definitely the some of the best security people I know. They just have a really hard problem to solve.

If you think about it, a breach of 30 million accounts out of 2 billion ain’t that bad.

> a breach of 30 million accounts out of 2 billion ain’t that bad

That we know of. These sorts of leaks always seem to end up having a much wider impact than initially reported.

A payment company needs to worry about payment. Facebook has a ton of other features, any of which can be a vector for a hack.

As we just saw with Google and Google+.

> How are smaller platforms, who can't attract or pay for the very best talent, going to do any better

Well, they could just not collect as much data?

One thing a smaller platform could do to outperform Facebook would be to not collect as much personal info... privacy by design is a thing.

Visa and MasterCard seems to handle security ok.

This requires pretty loose definitions of OK, which, I guess, works out OK for Visa and MasterCard ?

Both systems experience what on the Web we'd consider a staggering level of problems. Fraud losses just in the UK for the card payment system exceed £500M per year. They're proud of themselves for catching about 60% by value of potential fraud. That is, people _tried_ to steal over a billion pounds each year, but only get away with £500M...

They use out-dated cryptography, they straight up lie to their partners, to customers and even to the courts. I trust them about as much as some random Etsy maker.

Now, my country's laws mean when Visa screws up, my bank, regulated by those laws, has to make me whole. And I'm a middle-aged white guy, so good old-fashioned unconscious bias means when I'm screaming at a regulator about my rights they listen.

But if I didn't have those laws, if I was an elderly black lady, I can expect that I'd be told it's not the payment card company, I must have secretly travelled to Hong Kong last weekend and bought $5000 of men's watches and so I have to pay for that transaction even if I have witnesses who say I never left... after all the computer says it was my card and how could that be wrong?

Centrally, perhaps. As a payment "platform" (i.e. including the merchants, POS terminals, etc.) that is very much not the case.

Companies that do 1 thing tend to do that thing well. Companies like Facebook or Google that do dozens tend to be sloppy.

You do know that Shopify is owned by Facebook? It's already happening. A lot of custom online shops use this platform to run their business.

Shopify isn't owned by Facebook.

Can you expand more on this?

And you know it's stolen, because they didn't pay Facebook for it the way they should have.

The headline made sense to me as - Facebook; says hackers, stole Or as - Facebook says, hackers stole

The wording of this is so off.

Hackers stole personal information stored by FACEBOOK not 'people'.

It sounds like they are creating a new way for their company to avoid responsibility, just like banks created 'identity theft'.

And after that they want to put a Facebook camera in your living room?

I'm among the hacked people. I'm feeling so disappointed.

Don't feel bad... everyone, everywhere has been compromised. The corporations that say they have not are either ignorant or lying.

That's where I've ended up. I just assume that anything I enter on any website or app is potentially public. I've seen no real evidence that we as technologists and tech companies are able to do better.

To me, this is less about what a devil Facebook is, but that nothing is worth the risk that comes from putting too much of your data in one place.

Increase the bug bounty rewards for such things to depend on the scale so $1M-$10M bounty should be given. Otherwise face a reputation hit.

> For about 14 million people the hackers accessed information such as the last 10 places that person checked into, their current city and their 15 most-recent searches...

I imagine such information will be very useful for fine-tuning phishing scams. E.g. something like “we saw you the other day at the Baton Rouge State Fair, and it’d be a shame if anyone saw what you did there. Send 0.5 BTC here so no one finds out.”

Massive GDPR fine coming soon then?

This dataset seems more than usually worth procuring for the demographic data rather than the PII.

A detailed tech breakdown of the hack would be great, I assume this is out of the question?

What's the most sci-fi worst case scenario that could come of this?

Public collectively shrugs, sites get hacked all the time and nothing bad ever happens to them, so it's just people getting worked up over nothing.

I consider that pretty scary, at least.

Oh come on. Mass blackmail, that'd be pretty cool. Or models trained on our behaviour, subtly affecting the market to make us do silly things purely for the enjoyment of some accidental bitcoin millionaire, never detectable by governmental or human-intution anomaly-detectors because all effects are below the noise level. Something cool like this must be going on somewhere, and I want to read a (non-fiction) book about it.

Exactly the reason why facebook should not store any PII

what are the chances that a class lawsuit will follow? not an expert on this but haven't seen it mentioned yet on this discussion.

Enough to subvert a few democracies.

"Hackers Stole" ...

Yeah. It's all their fault.

Dumb fucks.


The Facebook has the media by its balls.

They mean that what they already sell, was stolen without being paid for?

Luckily i deleted my facebook account over the summer, One less account to have to worry about now.

Thank you for letting us know.

no problem

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact